TikTok video downloader extensions infect over 130K users with covert spyware

Featured Chrome and Edge browser extensions for downloading TikTok videos are secretly spying on users and profiling them. They have remote-control backdoors that could be abused for data exfiltration or worse. Twelve extensions infected over 130,000 users.

LayerX security researchers are warning about a covert malicious campaign, dubbed “StealkTok,” which has already launched at least 12 browser extensions masquerading as TikTok video downloaders.

Under the hood, the malicious extensions extensively profile users, tracking web usage patterns, downloaded content, device information, and environmental data. They also include remote-control functionality, enabling threat actors to load custom configurations and modify extension behavior on the fly.

“In a worst-case scenario, the same mechanisms could be repurposed for broader data exfiltration, abuse of authenticated requests, or integration into larger proxy or botnet-like infrastructures,” the report by LayerX reads.

At least 130,000 users have been compromised during the campaign, and most of the extensions (eight) remain live on the browser web stores.

All the extensions share large parts of the same code and are lightly modified clones of each other. This indicates that the threat actor is persistent and releases new extensions when some are flagged or removed.

“The extensions typically operate legitimately for 6-12 months before introducing malicious features,” the researchers explained.

Curious what others think about this story? Contribute your thoughts to the debate below.

The most popular were Google Chrome extensions: “TikTok Video Keeper” (60,000 installs), “Mass TikTok Video Downloader” (30,000), “Video Downloader for TikTok” (20,000), and “TikTok Downloader – Save Videos, No Watermark” (10,000). Google has already removed these extensions.

The other malicious extensions include the following, all active:

• TikTok Downloader – Save Videos, No Watermark (Chrome) – 3,000 installs.
• TikTok Video Downloader – Bulk Save (Chrome) – 1,000 installs.
• TikTok Downloader (Chrome) – 353 installs.
• TikTok Video Downloader – Save Without Watermark (Chrome) – 4,000 installs.
• Mass TikTok Video Downloader (Edge) – 77 installs.
• TikTok Video Downloader – Save Without Watermark (Edge) – 9 installs.
• TikTok Downloader – Save Videos, No Watermark (Edge) – 47 installs.
• Mass TikTok Video Downloader (Chrome) – 4,000 installs.

What can malicious extensions do?

Once the undeclared “additional capabilities” are introduced via updates, the extensions are capable of fetching configurations from attacker-controlled servers and changing their behavior instantly. This means that full behavior is not fully visible, which helps bypass reviews and security controls.

“The real risk lies not in what the extensions do today, but in what they are capable of doing tomorrow.”

LayerX researchers list that extensions can enable or disable features, redirect network activity, and expand data collection.

“These extensions collect detailed telemetry about users, including how often they use the tool, what content they interact with, and various device characteristics such as language, timezone, and user agent. Even battery status is captured, an unusual but valuable signal for device fingerprinting,” the report reads.

The infrastructure behind them demonstrated clear signs of deception – many domains had typosquatting patterns, such as “trafficreqort” instead of “trafficreport” or “tiktak” instead of “tiktok.”

Researchers warn that current defenses have a fundamental gap: security tools focus on installation-time validation. However, the real risks emerge at runtime, often delayed by months.

---

Unlock more exclusive Cybernews content on YouTube.